In my particular situation its not a case of "untrusted" data, but I have to escape the data been passed. I know if I do this (noticed the single quotes):

my $statedata = join ' OR ', map { "state = ‘$_->{ state}’" } @$cityda
+ta;
[download]

The single quotes need to be there in order to work and by using place holders I would not have to do that.